On 01/08/2010 05:10 PM, Robert Relyea wrote:
NSS needs attributes that are not defined by PKCS #11. It uses these
attributes in it's own PKCS #11 modules. You are free to return
CKR_INVALID_ATTRIBUTE when you see these attributes (which is what you
should return). NSS should be able to deal with that. If not let me
know. (Most likely NSS will choose another token that supports this
object and store it there).
NOTE: In general, if NSS asks you to do something that you do not
support, it is not necessarily an error for you to return that the
request was not valid. NSS will switch to a different token in those
cases. NSS depends on the PKCS #11 module properly signalling that it
can't do something (or the session has been destroyed, or any number of
other error conditions) rather than trying to build complex matrices of
possible fail conditions and always asking for operations it expects to
work.
Given what you just said, openCryptoki seems to be correctly returning
CKR_TEMPLATE_INCOMPLETE when NSS is trying to C_CreateObject() with
vendor-defined object classes. In our traces we see NSS querying and
trying to create objects using CKO_NSS all the time so I was expecting
this to be the reason behind some of our compatibility problems, but
looking more closely now it seems it doesn't relate.
The issue I'm seeing, in case anyone is interested: I can create
self-signed certificates (certutil -S ... -x) but fail at creating a
cert signed by another CA cert in my database (certutil -S ... -c
'nickname').
--- output ---
[r...@popcorn klausk]# certutil -S -d test-nssdb/ -h mytoken -n
TestCert5 -s "cn=popcorn.ltc.austin.ibm.com,o=ibm,ou=ibm,c=us" -t u,u,u
-c dummyCAcert3
Enter Password or Pin for "mytoken":
<..snip..>
Finished. Press enter to continue:
Generating key. This may take a few moments...
certutil: could not find certificate named "dummyCAcert3": security
library: bad database.
certutil: unable to create cert (security library: bad database.)
---- end ----
Traces shows that the C_GenerateKeyPair() succeeds, but then, after
querying for the modulus and setting CKA_ID for both keys, NSS
apparently tries to sign something using the (newly generated) private
key handle (isn't that odd?)
Everything returns CKR_OK but NSS goes to CloseAllSessions and
C_Finalize(), returning the above message.
Any clues?
Thanks,
-Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
